Patch Tuesday January 2015 Preview

It is January 2015 and the week before the year’s first Patch Tuesday. Microsoft should have posted their first Advance Notification (ANS) kicking off the patch cycle. But a new year brings many changes and the Advanced Notification is affected by one of them. Microsoft will stop providing the ANS information to the general public and parties interested will have to ask for the it through their account manager. Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out.

But lets take a look in the past year to see what we can expect this year. 2014 has been a pretty turbulent year for Information Security in general. There were a high profile data breaches such as JP Morgan Chase, Home Depot and Sony, critical vulnerabilities in Open Source Software like Heartbleed in OpenSSL and Shellshock in Bash, retired software (Windows XP, Java 6) and an elevated number of 0-day vulnerabilities in software from Microsoft and Adobe, who patched Flash every month in 2014.

And 0-days continue to be present even as the year starts, this time though not from an attacker, but from the security research team. Google’s Project Zero researches vulnerabilities in common software and publishes the results in a transparent manner. Companies have 90 days to address issues before the vulnerability information becomes public. James Forshaw from the Project Zero team found a local privilege escalation vulnerability in Windows 8.1 on September 30 and made it public on December 29th, reigniting the discussion on the benefit of these disclosures without having a patch available (see comments here: https://code.google.com/p/google-security-research/issues/detail?id=118). The vulnerability is for local escalation only, meaning an attacker needs to have access to the target machine already to make use of it. But once on the machine it allows the attacker to become administrator giving total control over the target machine. Remember Stuxnet? There the attacker equipped the malware with 2 local 0-days allowing them to become administrator in order to gain full control – this vulnerability is in a similar class. By itself not too much to worry about, but in combination with other vulnerabilities or access through stolen credentials certainly valuable.

Let me know what you think about this change and tune in next week when the actual Patch Tuesday comes along.